[westurner]

Related issue: secured DNS must downgrade/fallback to unsecured DNS because of captive portal DNS redirection (because captive portals block access to DNS until the user logs in, and the user can't log into the captive portal without DNS redirection that is prevented by DoH, DoT, and DoQ).

Impact: if you set up someone's computer to use secured DNS only, and their device doesn't have per-SSID connection profiles, then they can't use captive portal hotspot Wi-Fi without knowing how to disable secured DNS.

"Do not downgrade to unsecured DNS unless it's an explicitly authorized captive portal"

IIRC there's a new-ish way to configure DNS-over-HTTPS over DHCP like there is for normal DNS.